ci: update testrunner and use dd-octo-sts everywhere (#14152)

Use the latest version of testrunner image in CI, including the new one
which contains `dd-octo-sts` got GitHub token management.

This PR:

- Use the new image locally and in CI
- We use the ghcr image still locally since external contributors need
to be able to pull the image
- Don't install riot when we already have it baked in
- Replace aws ssm with dd-octo-sts to generate GitHub API tokens
- Update scripts/ddtest for the new projects directory for the
testrunner image



The biggest change being introduced here is we are moving to a
testrunner image which uses the user `bits` by default `/home/bits/` as
the working directory.

## Checklist
- [x] PR author has checked that all the criteria below are met
- The PR description includes an overview of the change
- The PR description articulates the motivation for the change
- The change includes tests OR the PR description describes a testing
strategy
- The PR description notes risks associated with the change, if any
- Newly-added code is easy to change
- The change follows the [library release note
guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html)
- The change includes or references documentation updates if necessary
- Backport labels are set (if
[applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting))

## Reviewer Checklist
- [ ] Reviewer has checked that all the criteria below are met 
- Title is accurate
- All changes are related to the pull request's stated goal
- Avoids breaking
[API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces)
changes
- Testing strategy adequately addresses listed risks
- Newly-added code is easy to change
- Release note makes sense to a user of the library
- If necessary, author has acknowledged and discussed the performance
implications of this PR as reported in the benchmarks PR comment
- Backport labels are set in a manner that is consistent with the
[release branch maintenance
policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)

Author: brettlangdon

.coveragerc

@@ -8,5 +8,5 @@ disable_warnings = couldnt-parse
 [paths]
 source =
     ./
-    /home/circleci/project/
     /root/project/
+    /home/bits/project

.github/workflows/requirements-locks.yml

@@ -11,7 +11,9 @@ jobs:
   validate:
     name: Check requirements lockfiles
     runs-on: ubuntu-latest
-    container: ghcr.io/datadog/dd-trace-py/testrunner:bca6869fffd715ea9a731f7b606807fa1b75cb71@sha256:9e3f53fa98ffc4b838b959d74d969aa2c384c4cbee7a3047a03d501be5f58760
+    container:
+      image: ghcr.io/datadog/dd-trace-py/testrunner:ae4c189ebf8e539f39905f21c7918cc19de69d13@sha256:9476c426c677d39a58c170ed3167e4d630ed4f067a8a2be2fb96d843795d2ac2
+      options: "--user 0"
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:

.gitlab-ci.yml

@@ -42,8 +42,16 @@ include:
 tests-gen:
   stage: tests
   extends: .testrunner
+  id_tokens:
+    DDOCTOSTS_ID_TOKEN:
+      aud: dd-octo-sts
   script:
-    - pip install riot==0.20.1
+    - |
+      if [ -z ${GH_TOKEN} ]
+      then
+        # Use dd-octo-sts to get GitHub token
+        export GH_TOKEN=$(dd-octo-sts token --scope DataDog/dd-trace-py --policy gitlab.github-access.read)
+      fi
     - riot -v run --pass-env -s gitlab-gen-config -v
   needs: []
   artifacts:

.gitlab/benchmarks/microbenchmarks.yml

@@ -8,7 +8,7 @@ variables:
   BENCHMARKING_IMAGE_REGISTRY: 486234852809.dkr.ecr.us-east-1.amazonaws.com
   MICROBENCHMARKS_CI_IMAGE: $BENCHMARKING_IMAGE_REGISTRY/ci/benchmarking-platform:dd-trace-py
   PACKAGE_IMAGE: registry.ddbuild.io/images/mirror/pypa/manylinux2014_x86_64:2024-08-12-7fde9b1
-  GITHUB_CLI_IMAGE: registry.ddbuild.io/github-cli:v27480869-eafb11d-2.43.0
+  GITHUB_CLI_IMAGE: registry.ddbuild.io/images/dd-octo-sts-ci-base:2025.06-1
   BENCHMARKING_BRANCH: dd-trace-py
 
 .benchmarks:
@@ -64,6 +64,9 @@ baseline:detect:
   image: $GITHUB_CLI_IMAGE
   tags: [ "arch:amd64" ]
   stage: build
+  id_tokens:
+    DDOCTOSTS_ID_TOKEN:
+      aud: dd-octo-sts
   variables:
     UPSTREAM_BRANCH: $CI_COMMIT_REF_NAME
   script: |
@@ -74,7 +77,8 @@ baseline:detect:
 
     if [ -z ${GH_TOKEN} ]
     then
-      aws ssm get-parameter --region us-east-1 --name ci.$CI_PROJECT_NAME.gh_token --with-decryption --query "Parameter.Value" --out text > token
+      # Use dd-octo-sts to get GitHub token
+      dd-octo-sts token --scope DataDog/dd-trace-py --policy gitlab.github-access.read > token
       gh auth login --with-token < token
       rm token
     fi

.gitlab/templates/build-base-venvs.yml

@@ -18,8 +18,6 @@ build_base_venvs:
     - when: always
   script: |
     set -e -o pipefail
-    apt update && apt install -y sccache
-    pip install riot==0.20.1
     riot -P -v generate --python=$PYTHON_VERSION
     echo "Running smoke tests"
     riot -v run -s --python=$PYTHON_VERSION smoke_test

.gitlab/templates/cached-testrunner.yml

@@ -2,7 +2,6 @@
   extends: .testrunner
   variables:
     PIP_CACHE_DIR: '${{CI_PROJECT_DIR}}/.cache/pip'
-    SCCACHE_DIR: '${{CI_PROJECT_DIR}}/.cache/sccache'
     EXT_CACHE_VENV: '${{CI_PROJECT_DIR}}/.cache/ext_cache_venv'
   before_script: |
     ulimit -c unlimited
@@ -26,13 +25,13 @@
     deactivate
     $SHELL scripts/save-ext-cache.sh
   cache:
-    # Share pip/sccache between jobs of the same Python version
-    - key: v1-build_base_venvs-${{PYTHON_VERSION}}-cache-{current_month}
+    # Share pip between jobs of the same Python version
+    - key: v2-build_base_venvs-${{PYTHON_VERSION}}-cache-{current_month}
       paths:
         - .cache
-    - key: v1-build_base_venvs-${{PYTHON_VERSION}}-ext-{current_month}
+    - key: v2-build_base_venvs-${{PYTHON_VERSION}}-ext-{current_month}
       paths:
         - .ext_cache
-    - key: v1-build_base_venvs-${{PYTHON_VERSION}}-download-cache-{current_month}
+    - key: v2-build_base_venvs-${{PYTHON_VERSION}}-download-cache-{current_month}
       paths:
         - .download_cache

.gitlab/testrunner.yml

@@ -1,10 +1,17 @@
+variables:
+  TESTRUNNER_IMAGE: registry.ddbuild.io/dd-trace-py:v72171907-b7ecc7e-testrunner-2025.07.29@sha256:0951475f34dad2b2eed3f30f79895676dd6fb9c1ae2563c93729942ebbb269aa
+
 .testrunner:
-  image: ghcr.io/datadog/dd-trace-py/testrunner:8b69a2610342b333f8832422ffc4f3a9327bed13@sha256:c2d067947ffdb305fc7dc7ff1f8eb7035cfa110bd1199917dd2519eadd166402
+  image:
+    name: ${TESTRUNNER_IMAGE}
+    docker:
+      user: bits
   # DEV: we have a larger pool of amd64 runners, prefer that over arm64
   tags: [ "arch:amd64" ]
   timeout: 20m
   before_script:
     - ulimit -c unlimited
+    - git config --global --add safe.directory ${CI_PROJECT_DIR}
     - pyenv global 3.12 3.8 3.9 3.10 3.11 3.13
     - export _CI_DD_AGENT_URL=http://${HOST_IP}:8126/
   retry: 2

.gitlab/tests.yml

@@ -98,7 +98,7 @@ include:
     # DEV: All job variables get shared with services, setting `DD_TRACE_AGENT_URL` on the testagent will tell it to forward all requests to the
     # agent at that host. Therefore setting this as a variable will cause recursive requests to the testagent
     - export DD_TRACE_AGENT_URL="http://testagent:9126"
-    - ln -s "${CI_PROJECT_DIR}" "/root/project"
+    - ln -s "${CI_PROJECT_DIR}" "/home/bits/project"
 
 
 # Required jobs will appear here

.riot/requirements/1336cbd.txt

@@ -22,7 +22,7 @@ pastedeploy==3.1.0
 plaster==1.1.2
 plaster-pastedeploy==1.0.1
 pluggy==1.5.0
-pserve-test-app @ file:///root/project/tests/contrib/pyramid/pserve_app
+pserve-test-app @ file:///home/bits/project/tests/contrib/pyramid/pserve_app
 pyramid==2.0.2
 pytest==8.3.1
 pytest-cov==5.0.0

.riot/requirements/192e4d0.txt

@@ -22,7 +22,7 @@ pastedeploy==3.1.0
 plaster==1.1.2
 plaster-pastedeploy==1.0.1
 pluggy==1.5.0
-pserve-test-app @ file:///root/project/tests/contrib/pyramid/pserve_app
+pserve-test-app @ file:///home/bits/project/tests/contrib/pyramid/pserve_app
 pyramid==2.0.2
 pytest==8.3.1
 pytest-cov==5.0.0